Deployment Checklist¶

TikTok Cross-Border Internet Service¶

Version: 1.0.0
Last Updated: 2026-01-15
Purpose: Step-by-step deployment guide for customer onboarding

Pre-Deployment Preparation¶

☐ Customer Information Collection¶

Business Details: - [ ] Company name (legal entity) - [ ] Business registration number - [ ] Contact person name and title - [ ] Primary phone number - [ ] Backup phone number - [ ] Email address - [ ] WeChat ID - [ ] Business address (installation location)

Technical Requirements: - [ ] Number of concurrent devices (estimate) - [ ] Required bandwidth (20Mbps / 50Mbps / 100Mbps) - [ ] Service tier selected (Basic / Standard / Enterprise) - [ ] Special requirements or restrictions - [ ] Preferred installation date/time - [ ] On-site technical contact

Network Environment: - [ ] Current ISP (China Telecom / China Unicom / China Mobile) - [ ] Current bandwidth subscription - [ ] Existing router model (will be replaced) - [ ] Network topology (single office / multiple floors / branches) - [ ] Static IP requirement (yes/no)

☐ Service Agreement¶

Legal Documents: - [ ] Service agreement signed - [ ] Payment terms confirmed (monthly/annual) - [ ] Initial payment received - [ ] Invoice issued - [ ] Terms of service acceptance - [ ] Privacy policy acknowledgment - [ ] Acceptable use policy signed

SLA Terms: - [ ] Uptime guarantee: 99% (Basic), 99.5% (Standard), 99.9% (Enterprise) - [ ] Response time: 24h (Basic), 8h (Standard), 2h (Enterprise) - [ ] Support hours defined - [ ] Escalation procedures documented

☐ Hardware Preparation¶

Customer Premises Equipment (CPE): - [ ] Router model selected based on device count: - Basic (5 devices): Xiaomi AX3000T / Redmi AX6 - Standard (20 devices): Xiaomi AX6000 / Redmi AX6000 - Enterprise (unlimited): x86 mini PC (N5105/N100) + OpenWrt - [ ] Router firmware flashed with OpenWrt/ImmortalWrt - [ ] OpenClash installed and tested - [ ] Power adapter and cables prepared - [ ] Ethernet cables (CAT5e or better) - [ ] Wall mounting brackets (if needed)

VPS Infrastructure: - [ ] VPS allocated for customer (shared or dedicated based on tier) - [ ] Xray installed and configured - [ ] Caddy installed with TLS certificate - [ ] Exit node SOCKS5 credentials obtained - [ ] DNS configured (A record pointing to VPS) - [ ] Firewall rules configured (ports 80, 443 open)

Configuration Files: - [ ] Customer-specific UUID generated - [ ] config.yaml customized from template - [ ] xray/config.json prepared - [ ] Caddyfile prepared with customer subdomain - [ ] Loyalsoldier rules downloaded (latest version)

Deployment Day¶

☐ Pre-Installation Verification (Remote)¶

1. VPS Health Check (15 minutes):

# SSH to VPS
ssh [email protected]

# Check Xray status
docker ps | grep xray

# Check Caddy status
docker ps | grep caddy

# Verify TLS certificate
curl -I https://customer-vps.ata.lol

# Test exit node connectivity
curl --socks5 proxy.starzone.io:51313 https://ipinfo.io/ip

- [ ] Xray container running - [ ] Caddy container running - [ ] TLS certificate valid (not expired) - [ ] Exit node SOCKS5 accessible - [ ] Egress IP confirmed (168.148.92.254 or customer-specific)

2. Configuration File Review (10 minutes):

# On local machine
cd /path/to/customer-config

# Verify UUID is unique
grep "uuid" config.yaml

# Verify server address
grep "server:" config.yaml

# Verify TLS enabled
grep "tls: true" config.yaml

- [ ] UUID matches VPS configuration - [ ] Server address correct (customer-vps.ata.lol) - [ ] TLS enabled on both VMess and VLESS - [ ] Health check URLs correct - [ ] Loyalsoldier rules path correct

☐ On-Site Installation (Customer Location)¶

3. Physical Installation (30 minutes):

Replace Existing Router: - [ ] Take photo of existing router connections (for reference) - [ ] Document existing WiFi SSID and password - [ ] Power off existing router - [ ] Disconnect WAN cable from old router - [ ] Disconnect LAN cables from old router - [ ] Remove old router and store safely

Install New Router: - [ ] Connect WAN cable to new router WAN port - [ ] Connect LAN cables to new router LAN ports (1-4) - [ ] Connect power adapter - [ ] Power on router - [ ] Wait 60 seconds for boot

Verify Basic Connectivity: - [ ] Router LED indicators normal (power, WAN, LAN) - [ ] Laptop can connect to router via Ethernet - [ ] Router web interface accessible (http://192.168.1.1 or default) - [ ] Internet accessible WITHOUT proxy (test: curl http://baidu.com)

4. OpenClash Configuration Upload (20 minutes):

# Connect to router
ssh [email protected]
# Default password: check router documentation

# Backup existing config (if any)
cp /etc/openclash/config.yaml /etc/openclash/config.yaml.backup

# Upload new config via SCP (from local machine)
scp config.yaml [email protected]:/etc/openclash/config.yaml

# On router: Set correct permissions
chmod 644 /etc/openclash/config.yaml
chown root:root /etc/openclash/config.yaml

Config file uploaded successfully
Permissions set correctly
Backup created

5. Start OpenClash Service (10 minutes):

# On router
/etc/init.d/openclash start

# Wait 30 seconds for initialization

# Check status
/etc/init.d/openclash status

# Verify process running
ps | grep clash

OpenClash service started
Process running (PID visible)
No error messages in logs

6. Proxy Health Verification (15 minutes):

# Check proxy status via API
curl -s http://127.0.0.1:9090/proxies | jq

# Specifically check LA-VMess
curl -s http://127.0.0.1:9090/proxies/LA-VMess | jq '.alive'
# Expected: true

# Check LA-VLESS
curl -s http://127.0.0.1:9090/proxies/LA-VLESS | jq '.alive'
# Expected: true

# Verify egress IP
curl --proxy http://127.0.0.1:7890 https://ipinfo.io/ip
# Expected: 168.148.92.254 (or customer-specific exit IP)

LA-VMess: alive=true
LA-VLESS: alive=true
Egress IP matches expected exit node
Latency <300ms

7. Smart Routing Verification (15 minutes):

Test Domestic Sites (Should NOT Use Proxy):

# From router
curl -w "\n%{time_total}\n" http://baidu.com | head -n 1
# Expected: <0.1s (fast, direct connection)

curl -w "\n%{time_total}\n" http://taobao.com | head -n 1
# Expected: <0.1s (fast, direct connection)

# Check rule matching
curl -s http://127.0.0.1:9090/rules | grep -i baidu
# Expected: Rule: DIRECT

Baidu accessible and fast (<100ms)
Taobao accessible and fast (<100ms)
JD.com accessible and fast (<100ms)
Rules show DIRECT for domestic sites

Test International Sites (Should Use Proxy):

# From router
curl -w "\n%{time_total}\n" https://www.google.com | head -n 1
# Expected: 0.5-2s (via proxy)

curl -w "\n%{time_total}\n" https://www.facebook.com | head -n 1
# Expected: 0.5-2s (via proxy)

# Check rule matching
curl -s http://127.0.0.1:9090/rules | grep -i google
# Expected: Rule: PROXY or LA-VMess

Google accessible (may be slow, but reachable)
Facebook accessible
Instagram accessible
TikTok.com accessible
Rules show PROXY for international sites

8. WiFi Configuration (10 minutes):

# Via web interface (http://192.168.1.1)
# OR via SSH

# Set WiFi SSID (match customer preference or existing SSID)
uci set wireless.@wifi-iface[0].ssid='CustomerCompany-Office'

# Set WiFi password (minimum 8 characters, WPA2)
uci set wireless.@wifi-iface[0].key='SecurePassword123'

# Enable WiFi
uci set wireless.@wifi-iface[0].disabled='0'

# Enable 5GHz band (if available)
uci set wireless.@wifi-iface[1].disabled='0'

# Commit changes
uci commit wireless

# Restart WiFi
wifi reload

2.4GHz WiFi enabled and broadcasting
5GHz WiFi enabled (if supported)
SSID matches customer request
Password documented in customer file
Test device can connect via WiFi

9. End-User Device Testing (20 minutes):

Test with Customer's Devices:

Mobile Phone (iPhone/Android): - [ ] Connect to WiFi - [ ] Open WeChat (should work, domestic) - [ ] Open Taobao/JD (should work, fast) - [ ] Open TikTok app (should work, may require account) - [ ] Open Instagram app (should work via proxy) - [ ] Open Chrome, visit google.com (should work via proxy) - [ ] Check IP: visit ipinfo.io (should show 168.148.92.254)

Laptop (Windows/Mac): - [ ] Connect to WiFi or Ethernet - [ ] Open browser, visit baidu.com (fast, direct) - [ ] Open browser, visit google.com (slower, via proxy) - [ ] Open TikTok Seller Center (https://seller.tiktok.com) - [ ] Login to customer's TikTok account - [ ] Verify account not flagged/banned - [ ] Check IP: visit ipinfo.io (should show US IP)

Tablet/Additional Devices: - [ ] Connect additional devices as needed - [ ] Verify all devices can access internet - [ ] Verify no conflicts or connection issues

10. Performance Benchmark (10 minutes):

# From client device connected to router

# Speed test (domestic)
curl -o /dev/null -s -w "Speed: %{speed_download} bytes/sec\n" http://speedtest.cn/sample.bin

# Speed test (international, via proxy)
curl -o /dev/null -s -w "Speed: %{speed_download} bytes/sec\n" https://speed.cloudflare.com/__down?bytes=10000000

# Latency test
ping -c 10 baidu.com
# Expected: <50ms

ping -c 10 8.8.8.8
# Expected: 180-250ms (via proxy to US)

Domestic speed ≥ ISP bandwidth (e.g., 100Mbps → ~12MB/s)
International speed ≥ service tier (Basic: 20Mbps, Standard: 50Mbps)
Latency to domestic sites <50ms
Latency to US sites <300ms
No packet loss

Post-Installation¶

☐ Documentation & Handoff (15 minutes)¶

11. Customer Training:

Show customer OpenClash dashboard (http://192.168.1.1/cgi-bin/luci/admin/services/openclash)
Explain proxy selector (if multiple proxies)
Explain how to check connection status
Demonstrate speed test procedure
Explain what to do if internet stops working

Basic Troubleshooting Steps for Customer: 1. Check if router power is on 2. Check if WAN cable connected 3. Restart router (power cycle) 4. Wait 2 minutes, test again 5. If still not working, call support

Customer understands basic troubleshooting
Customer knows support contact (phone/WeChat)
Customer knows support hours

12. Provide Documentation:

Print or send via WeChat: - [ ] WiFi SSID and password (printed card) - [ ] Router admin URL and credentials - [ ] Support hotline number - [ ] Support WeChat QR code - [ ] Quick troubleshooting guide (1-page PDF) - [ ] Terms of service (signed copy)

13. Customer Acceptance:

Customer tests all required applications
Customer confirms internet working
Customer confirms TikTok accessible
Customer signs acceptance form
Take photo of signed form
Upload to customer record

Remote Monitoring Setup¶

☐ Add to Monitoring System (30 minutes)¶

14. Configure Monitoring (if Prometheus/Grafana available):

# On monitoring server
cd /etc/prometheus

# Add customer router to targets
cat >> prometheus.yml <<EOF
  - job_name: 'customer-router-companyname'
    static_configs:
      - targets: ['customer-router-ip:9090']
        labels:
          customer: 'CompanyName'
          tier: 'Standard'
          location: 'Shanghai'
EOF

# Reload Prometheus
systemctl reload prometheus

Router added to Prometheus targets
Grafana dashboard shows customer metrics
Alerts configured (proxy down, high latency)

15. Configure Health Checks:

# Create health check script (on monitoring server)
cat > /usr/local/bin/check-customer-router.sh <<'EOF'
#!/bin/bash
ROUTER_IP="customer-router-ip"
PROXY_API="http://${ROUTER_IP}:9090/proxies"

# Check if LA-VMess is alive
ALIVE=$(curl -s ${PROXY_API}/LA-VMess | jq -r '.alive')

if [ "$ALIVE" != "true" ]; then
    # Send alert (WeChat/Email/SMS)
    echo "ALERT: Customer router proxy down - $(date)" >> /var/log/alerts.log
    # TODO: Integrate with alerting system
fi
EOF

chmod +x /usr/local/bin/check-customer-router.sh

# Add to cron (every 5 minutes)
echo "*/5 * * * * /usr/local/bin/check-customer-router.sh" | crontab -

Health check script created
Cron job scheduled
Test alert sent successfully

16. Update Customer Database:

Day 1-7 Follow-Up¶

☐ Post-Installation Monitoring¶

Day 1 (24 hours after installation): - [ ] Check router uptime (should be 100%) - [ ] Check proxy health (alive=true) - [ ] Review bandwidth usage - [ ] Call customer: "Is everything working well?" - [ ] Ask if any issues or questions

Day 3 (72 hours after installation): - [ ] Check router uptime - [ ] Check for any error patterns in logs - [ ] Review bandwidth usage (is it within expected range?) - [ ] WeChat message: "Hi, just checking in. Any issues?"

Day 7 (1 week after installation): - [ ] Full system health check - [ ] Generate usage report - [ ] Call customer: "End of first week, any feedback?" - [ ] Ask if they want to upgrade/downgrade tier - [ ] Ask if they would refer other companies (incentive?)

Issues Found?: - [ ] Document issue in customer record - [ ] Resolve issue remotely or schedule on-site visit - [ ] Follow up with customer after resolution

Monthly Maintenance¶

☐ Recurring Tasks¶

Every Month (before billing cycle): - [ ] Check router uptime (target: 99%+) - [ ] Update Loyalsoldier rules (if new version available) - [ ] Review bandwidth usage - [ ] Review proxy latency trends - [ ] Check for firmware updates (OpenWrt/OpenClash) - [ ] Generate monthly report for customer - [ ] Send invoice - [ ] Confirm payment received

Quarterly (every 3 months): - [ ] Schedule maintenance window with customer - [ ] Update router firmware (if needed) - [ ] Update Xray/Caddy on VPS (if security patches) - [ ] Review and optimize rules - [ ] Customer satisfaction survey - [ ] Review service tier (upgrade/downgrade?)

Annually (every 12 months): - [ ] Full system audit - [ ] Review contract renewal - [ ] Offer annual prepay discount (15% off) - [ ] Hardware refresh (if router old/failing) - [ ] Review pricing and adjust if needed

Troubleshooting During Deployment¶

Common Issues & Quick Fixes¶

Issue: Router can't access VPS (connection timeout) - Check: VPS firewall (ports 80, 443 open?) - Check: VPS running? (docker ps on VPS) - Check: Correct server address in config.yaml? - Fix: Verify DNS resolution (nslookup customer-vps.ata.lol)

Issue: Proxy shows alive=false - Check: Mux disabled in xray config? (see OPENCLASH_MUX_FIX_JAN15_2026.md) - Check: Exit node SOCKS5 working? (curl --socks5 proxy.starzone.io:51313 https://ipinfo.io/ip) - Check: UUID matches between router and VPS? - Fix: Disable mux, restart Xray

Issue: Domestic sites slow - Check: Rules loaded? (curl http://127.0.0.1:9090/rules | wc -l should show 345000+) - Check: Baidu/Taobao showing "DIRECT" in rules? - Fix: Re-download Loyalsoldier rules, restart OpenClash

Issue: International sites not accessible - Check: Proxy health (alive=true?) - Check: Exit node working? - Check: Correct rule priority (international sites should match PROXY rule)? - Fix: Check VPS logs (docker compose logs xray)

Issue: WiFi not broadcasting - Check: WiFi enabled in config? (uci show wireless) - Check: Country code set? (required for 5GHz) - Fix: wifi reload or reboot

Issue: Customer devices show "No Internet" - Check: Router WAN connected? - Check: Router can ping 8.8.8.8? - Check: DNS working? (nslookup baidu.com) - Fix: Check ISP connection, restart router

Rollback Procedure¶

If Deployment Fails¶

Plan A: Fix On-Site (if issue is minor): 1. Identify root cause (check logs) 2. Apply fix (config change, restart service) 3. Test again 4. Proceed if working

Plan B: Restore Old Router (if unfixable on-site): 1. Power off new router 2. Reconnect old router (use reference photo) 3. Verify customer internet working 4. Apologize and schedule return visit 5. Troubleshoot issue remotely before next visit

Plan C: Remote Recovery (if router accessible remotely): 1. SSH to router from office 2. Review logs: /tmp/openclash.log 3. Fix configuration 4. Restart OpenClash 5. Verify proxy health remotely 6. Call customer to test

Deployment Time Estimate¶

Total Time: 3-4 hours

Phase	Time
Pre-installation verification (remote)	30 min
Travel to customer site	30-60 min
Physical installation	30 min
Configuration upload	20 min
Service start & verification	25 min
Smart routing tests	15 min
WiFi setup	10 min
End-user device testing	20 min
Performance benchmark	10 min
Customer training & handoff	15 min
Documentation	10 min
Travel back	30-60 min

Recommended: Schedule 4-hour window, arrive early

Deployment Team Roles¶

For Small Team (1-2 people):¶

Engineer (required): - Responsible for all technical tasks - Configuration, installation, testing - Troubleshooting

Sales/Account Manager (optional but recommended): - Customer relationship - Collect feedback - Upsell opportunities - Handle paperwork

For Larger Team (3+ people):¶

Senior Engineer: - Pre-deployment verification - Complex troubleshooting - Remote monitoring setup

Installation Technician: - On-site physical installation - Basic testing - Customer training

Customer Success Manager: - Customer relationship - Documentation handoff - Follow-up calls - Billing and renewals

Success Criteria¶

Deployment is considered successful when:

All proxies showing alive=true
Domestic sites fast (<100ms, direct connection)
International sites accessible (TikTok, Instagram, Google)
Egress IP matches exit node
Customer devices all connected and working
Customer trained and satisfied
Acceptance form signed
Monitoring configured
No critical issues

Emergency Contacts¶

Internal Team¶

Technical Lead: [Phone] / [WeChat]
On-Call Engineer: [Phone] (24/7 for Enterprise customers)
Customer Support: [Phone] / [Email]

External Vendors¶

VPS Provider: [Support URL] / [Ticket System]
Exit Node Provider: [Support Email] / [Phone]
ISP Hotline: 10000 (Telecom), 10010 (Unicom), 10086 (Mobile)

Appendix: Pre-Installation Checklist Summary¶

Print this page and bring to customer site:

☐ Customer info collected
☐ Service agreement signed
☐ Payment received
☐ Hardware prepared
☐ VPS configured and tested
☐ Configuration files ready
☐ Tools ready (laptop, cables, screwdriver)
☐ Customer appointment confirmed
☐ Backup router available (in case of failure)
☐ Mobile hotspot available (for remote access if needed)
☐ Printed documentation for customer
☐ Acceptance form (blank, for customer signature)
☐ Business cards
☐ Promotional materials (if available)

Document Version: 1.0.0
Effective Date: 2026-01-15
Next Review: 2026-04-15 (quarterly)

Maintained By: Technical Team
Approved By: [Management Name]

Feedback: If you find errors or have suggestions for improving this checklist, please update the document and commit changes to the repository.